The final rule requires covered entities to have an internal process for individuals to make complaints regarding the covered entities' privacy policies and procedures required by the rule and its compliance with such policies. The requirement includes identifying a contact person or office responsible for receiving complaints and documenting all complaints received and the disposition of such complaints, if any. The covered entity only is required to receive and document a complaint (the complaint can be oral or in writing), which should take a short amount of time. The Department believes that complaints about a covered entity's privacy policies and procedures will be uncommon. Thus, the burden on small businesses should be minimal.